MDX for authorization in a cube

I have an MDX statement which works on a hierachie and is supposed to show certain groups ony the data they are allowed to see. Some Users are also in groups that are not allowed to see any data in this cube but have some other groups that are allowed to see data.

My statement works finde as long as the user only has groups that are allowed to see at least some data. If the user also has a group that isn't allowed to see any data I get an data set is empty error.

I need the user to still be able to see the data he is allowed to see, even though he has groups that aren't allowed to see data. Is there way to achieve this?

Re: MDX for authorization in a cube

Because these can be quite tricky to troubleshoot, and there are a number of different ways this can be done, perhaps you can post a concrete example (changing names/values as appropriate to protect privacy) for an individual where it is failing including:

1) The identity heirarchy for the individual showing which groups they are a member of an how they are a member - this is used to prioritize access controls.

2) All relevent permission conditions that have been applied to the dimension for any of the groups in the individuals identity hierarchy (including SASUSERS and PUBLIC)

Additionally, we have a (commercial) Metacoda Permissions Tracer plug-in that can show all of the relevant (and irrelevant) permissions (and permission conditions) for a user's access to a cube dimension including precedance info based on access control type and identity hierarchy levels. I'd be happy to walk you through it via a web meeting if you want to try it out.